CVE-2003-0609
published 2003-08-27CVE-2003-0609: Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD…
PriorityP432high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
3.52%
87.8th percentile
Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
exploitdb·2004-12-24
CVE-2003-0609 Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
Solaris 2.6/7/8/9 (SPARC) - 'ld.so.1' Local Privilege Escalation
---
/*
* $Id: raptor_ldpreload.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_ldpreload.c - ld.so.1 local, Solaris/SPARC 2.6/7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi
*
* Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6
* through 9 allows local users to gain root privileges via a long LD_PRELOAD
* environment variable (CAN-2003-0609).
*
* This exploit uses the ret-into-ld.so technique, to effectively bypass the
* non-executable stack protection (noexec_user_stack=1 in /etc/system). This
* is a weird vulnerability indeed: the standard ret-into-stack doesn't seem
* to work properly for some reason (SEGV_ACCERR), and at least my version of
* Solaris 8 (Generic_108528-13) is very hard to exploi
Exploit-DB
Solaris Runtime Linker (SPARC) - 'ld.so.1' Local Buffer Overflow
exploitdb·2003-10-27
CVE-2003-0609 Solaris Runtime Linker (SPARC) - 'ld.so.1' Local Buffer Overflow
Solaris Runtime Linker (SPARC) - 'ld.so.1' Local Buffer Overflow
---
/* #############################
* ## ld.so.1 exploit (SPARC) ##
* #############################
* [coded by: osker178 (bjr213 psu.edu)]
*
* Alright, so this exploits a fairly standard buffer
* overflow in the default Solaris runtime linker (ld.so.1)
* (discovery by Jouko Pynnonen)
* Only real deviation here from the standard overflow
* and return into libc scenario is that at the time that
* overflow occurs, the libc object file has not been loaded;
* so it's not really possible to return into a libc function.
* However, this poses no real problem to us, as ld.so.1
* provides it's own ___cpy() functions which we can use to
* move our shellcode into an appropriate place in memory.
*
* Some things to note:
*
* - obviousl
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=105951760418667&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680http://www.idefense.com/advisory/07.29.03.txthttp://www.osvdb.org/8722https://exchange.xforce.ibmcloud.com/vulnerabilities/12755https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3601http://marc.info/?l=bugtraq&m=105951760418667&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680http://www.idefense.com/advisory/07.29.03.txthttp://www.osvdb.org/8722https://exchange.xforce.ibmcloud.com/vulnerabilities/12755https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3601
2003-08-27
Published